 
  

 






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=191 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:27:00 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
<head>
 <title>
  Java Practices -> Manage sessions closely
 </title>
 <link rel="stylesheet" type="text/css" href="../stylesheet8.css" media="all">
 
 <link rel="shortcut icon" href='../images/favicon.ico' type="image/vnd.microsoft.icon">
 <meta name="description" content="Concise presentations of java programming practices, tasks, and conventions, amply illustrated with syntax highlighted code examples.">
 
 <meta name='keywords' content='java,java programming,java practices,java idiom,java style,java design patterns,java coding conventions,'>
 
 
</head>
 
<body>


<div class='menu-bar'>
 
  <a href='../home/HomeAction.html' title='Table of Contents'>Home</a> |
  <a href='../vote/VoteSummaryAction-2.html' title='View Poll Results'>Poll</a> |
   
  <A href='../feedback/FeedbackAction451f-2.html?Operation=Show' title='Send Your Feedback'>Wiki</a> |
  <b><a href='../source/SourceAction-2.html' title='Grab Source Code'>Source Code</a></b><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |

  <a href='http://www.web4j.com/Java_Web_Application_Framework_Overview.jsp?From=1' title='Free Download - Java Web Application Framework'><b>WEB4J</b></a> |
  
  <a href='http://www.date4j.net/' title='Replacement for java.util.Date'><b>DATE4J</b></a> |

   <a href='../references/ReferencesAction-2.html' title='References'>Links</a>
   
  <form action='http://www.javapractices.com/search/SearchAction.do' method='get' class='search-form'>
   <input type='text' name='SearchTerms' value="" size=12 maxlength=50 class='search'>
   <input type='submit' value="Search">
  </form>
 
</div>

<P>



  

 






<p class="display-messages">

 

 

</p>


<div class="main-layout">
 
   

 




<div class='page-title'>Manage sessions closely</div>

<div class='main-body'>
 
<br>
Sessions should be managed with some care, for two main reasons :
<ul>
 <li>sessions have various security risks associated with them.
 <li>sessions consume server resources, and should likely be avoided if possible.
</ul>

Unfortunately, the Servlet API is rather liberal in creating sessions. 
Various tools have default behaviors which can implicitly create sessions in the background.
It's very easy for an application to "accidentally" create a session, even when one was not explicitly requested.

<P>An an example, JSPs will often create a session if one doesn't already exist. 
This allows JSPs to use the implicit <tt>session</tt> variable.
As a second example, the <tt>request.getSession()</tt> method will also automatically create a session if one doesn't already exist.

<P>However, for the reasons stated above, the creation and destruction of sessions should likely be more tightly controlled by the application.

<P>Here is an example of a reasonable set of policies regarding sessions :
<ul>
 <li>use a <tt>&lt;%@ page session="false" %></tt> directive at the top of every JSP that doesn't use a session
 <li>consider <a href='TopicAction0836-2.html?Id=226'>disabling URL rewriting</a> altogether
 <li>create a new session only when the user logs in
 <li>when the user logs out, invalidate the session and delete any related cookie
 <li>in <tt>web.xml</tt>, ensure session time out is set to value which isn't unnecessarily long
 <li>defend against Cross-Site Request Forgery attacks (which hijack existing sessions)
</ul>
<br>

</div>




<div class='topic-section'>See Also :</div>
<div class='main-body'>
 
  
  <a href='TopicAction37f1-2.html?Id=95'>Emit flexible URLs</a> <br>
 
  
  <a href='TopicAction1c49-2.html?Id=109'>Always maintain HttpSessions </a> <br>
 
  
  <a href='TopicAction9f4f-2.html?Id=116'>Beware of custom cookies</a> <br>
 
  
  <a href='TopicAction0836-2.html?Id=226'>Beware of URL rewriting</a> <br>
 
</div>


<div class='topic-section'>Would you use this technique?</div>
<div class='main-body'>
  
  <form action="http://www.javapractices.com/vote/AddVoteAction.do" method='post'>
    Yes<input type='radio' name='Choice' value='Y' >
    &nbsp;&nbsp;No<input type='radio' name='Choice' value='N'>
    &nbsp;&nbsp;Undecided<input type='radio' name='Choice' value="?" >
    &nbsp;&nbsp;<input type=submit value="Vote" >
    <input type='hidden' name='Operation' value='Apply'>
    <input type='hidden' name='TopicId' value='191'>
  </form>
</div>

<div style='height:10.0em;'></div>

 
 
</div>

  

 





<div align='center' class='legalese'>  
&copy; 2011 Hirondelle Systems |
<a href='../source/SourceAction-2.html'><b>Source Code</b></a><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |
<a href="mailto:webmaster@javapractices.com">Contact</a> |
<a href="http://creativecommons.org/licenses/by-nc-sa/1.0/">License</a> |
<a href='../apps/cjp.rss'>RSS</a>
<!-- ukey="2AC36CD2" -->
<!-- ckey="16DF3D87" -->
<br>

 Individual code snippets can be used under this <a href='../LICENSE.txt'>BSD license</a> - Last updated on June 6, 2010.<br>
 Over 150,000 unique IPs last month - <span title='Java Practices 2.6.5, Mon May 16 00:00:00 EDT 2011'>Built with</span> <a href='http://www.web4j.com/'>WEB4J</a>.<br>
 - In Memoriam : Bill Dirani -
</div>

<script src="../../www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-2633428-1";
urchinTracker();
</script>



</body>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=191 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:27:00 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
</html>
